Something Old, Something New: Nmap’s VoIP Fingerprinting

Over time, it’s easy to become a bit out of touch with security tools. With new tools arriving on the scene daily, and updates to established tools occurring frequently, the deluge of information can be overwhelming; not to mention all of the other security fodder we process.

That said, I find it encouraging to revisit some of the really established tools to see what changes and improvements are in place. Nmap is without a doubt the classic security tool in every aspect, from quality, to longevity, to street credibility. Even Hollywood has clue when it comes to Nmap, as evidenced in Matrix, Bourne, and Die Hard films with Nmap showing up on someone’s computer screen!

One of my favorite Nmap features is the OS Identification and Application Fingerprinting capabilities. In part, this type of identification relies on the Nmap community scanning known devices and submitting signatures to be added to the Nmap databases (service probes, OS, etc.).

As of 21 July, 2009, the Nmap OS database has the following VoIP device Fingerprints:

    Fingerprint Alcatel 4035 VoIP phone
    Fingerprint Sirio by Alice VoIP phone
    Fingerprint AudioCodes Mediant 1000 VoIP gateway
    Fingerprint Audiocodes MP-114 or MP-118 VoIP gateway
    Fingerprint Avaya G350 Media Gateway (VoIP gateway)
    Fingerprint Avaya Office IP403 VoIP gateway
    Fingerprint Avaya Office IP500 VoIP gateway
    Fingerprint Aastra 480i GT or 9133i IP phone
    Fingerprint Inter-tel 8662 VoIP phone
    Fingerprint Comtrend CT-800 VoIP gateway
    Fingerprint D-Link DVG-4022S VoIP gateway
    Fingerprint Grandstream HandyTone HT-488 analog VoIP adapter
    Fingerprint Grandstream BudgeTone 100 VoIP phone
    Fingerprint Grandstream BudgeTone 100 VoIP phone
    Fingerprint Grandstream GXP2000 VoIP phone
    Fingerprint Grandstream GXP2020 VoIP phone
    Fingerprint Thomson ST 2020 or 2030 VoIP phone
    Fingerprint Interbell IB-305 VoIP phone
    Fingerprint Linksys PAP2T VoIP router
    Fingerprint Linksys SPA901 or SPA921 SIP VoIP phone
    Fingerprint Linksys SPA942, SPA962, or SPA9000 VoIP phone; SPA3102 VoIP gateway; or Sipura SPA-2100 or SPA-2101 VoIP adapter
    Fingerprint Mitel 3300 CXi VoIP PBX
    Fingerprint Netcomm V300 VoIP gateway
    Fingerprint Neuf Box Trio3D DSL modem/router/VoIP/TV
    Fingerprint Nortel CS1000M VoIP PBX or Xerox Phaser 8560DT printer
    Fingerprint Patton SmartNode 4960 VoIP gateway (SmartWare 4.2)
    Fingerprint Perfectone IP-301 VoIP phone
    Fingerprint Planet VIP-154T VoIP phone (MicroC/OS-II)
    Fingerprint Polycom SoundPoint IP 301 VoIP phone
    Fingerprint Polycom SoundPoint IP 301 VoIP phone
    Fingerprint Polycom SoundPoint IP 430 VoIP phone
    Fingerprint PORTech GSM VoIP gateway
    Fingerprint PORTech MV-374 GSM-SIP VoIP gateway
    Fingerprint Samsung OfficeServ 7200 VoIP gateway
    Fingerprint ShoreTel ShoreGear-T1 VoIP switch
    Fingerprint Siemens HiPath optiPoint 400 VoIP phone
    Fingerprint Sipura SPA-1001 or SPA-3000 VoIP adapter
    Fingerprint Sipura SPA-3000 VoIP adapter
    Fingerprint Thomson Symbio VoIP phone
    Fingerprint Vegastream Vega 400 VoIP Gateway

Also, it’s well worth taking a look at the VoIP devices identified in the Nmap Service Probes database as services that identify a VoIP device do not necessarily mean that the VoIP device has a fingerprint. In other words, there are VoIP devices in the Service Probes database that are not in the OS Fingerprint database, so look carefully!

For even more coolness, be sure to check out the NSE.

Wrapping-up, I’ve nothing less than mad props for Fyodor and all of the other folks who’ve contributed to this fantastic tool. Nmap was one of the first tools I used 10 years ago when first cutting my teeth in security, and remarkably, is a tool that I continue to use almost daily.